Ih sredta after fattarre ait farce ofr mmmmm INSURANCE REGULATORY AND ineleal DEVELOPMENT AUTHORITY OF INDIA Ref: IRDA/IT/CIR/MISC/232/10/2017 12" October, 2017 TO, CMDs/ CEOs - LIFE INSURERS, GENERAL INSURERS, HEALTH INSURERS AND REINSURERS Re: Compliance on Guidelines related to Information and Cyber Security. We draw your attention to IRDAI Circular Ref: IRDA/IT/GDL/MISC/082/04/2017 dated 7” April, 2017 setting out guidelines on Information and Cyber Security for Insurers. From the feedback/ updates received from Insurers, it is observed that many of the insurers stil have not finalised their Gap Analysis report, Cyber Crisis Management Plan and Board approved Information & Cyber Security Policy. Ensuring that Information and Computer Technology (ICT) infrastructure of insurers are fully secured is of paramount importance. Any Vulnerabilities to ICT may result in compromise on confidentiality of policyholder related information and exposure to sensitive information of the insurance sector and the financial markets in general. This would have serious repercussions not only for the Insurance sector but for the financial system of the country as a whole Therefore, Insurers are advised to take immediate steps for conducting Security Audit for their ICT infrastructures including Vulnerability Assessment and Penetration Tests (VAPT) through Cert-in empanelled Auditors, identify the gaps and ensure that audit findings are rectified swiftly. Insurers are also requested to firm-up their Cyber Crisis Management Plan (CCMP) for handling cyber incidents more effectively. The recently registered insurers and Reinsurers also must ensure that steps are taken for implementation of the Guidelines. In case CISOs have not yet been appointed by the recently registered entities, they are advised to ensure that they are appointed immediately. Further, in case of insurers who have not kept up the timelines given in the Guidelines referred above, they are advised to ensure to scale up their activities to comply with them Confirmation of having noted the above and plan of action proposed may be submitted to it@irda.gov.in by 17" October, 2017. wes (Dr. Maruthi Phasad Tangirala) V Executive Director (IT) ‘afera waa, dre aniitam, @atrare-500 004. 4Ra Parisharam Bhavan, 3rd Floor, Basheer Bagh, Hyderabad-500 004. India, ©: 91-040-2338 1100, aH: 91-040-6682 3334 Ph. -2338 1100, Fax: 91-040-6682 3334 Ser 8 WH 162.0040 SD V'00 0:2 90v1